Question 1
Correct
A cybersecurity analyst wants to collect indicators of compromise (IoCs) to identify,
investigate, and mitigate threats. What are some examples of IoCs that the analyst will be
collecting? (Select the three best options.)
answer
Unfamiliar new files
Correct Answer:Correct
Unusual account behaviors
Correct Answer:Correct
Expected configuration changes
Odd network patterns
Correct Answer:Correct
Explanation
Odd network patterns are one of the many indicators of compromise (IoCs) that the
cybersecurity analyst might collect. Other common forms of IoC include unusual outbound
network traffic, logins occurring from unexpected geographic locations, and suspicious
privileged user account behavior.
Unusual account behavior is another example of an indicator of compromise (IoC) that the
analyst might collect.
If the analyst finds an unfamiliar new file on a system, it would also be an indicator of
compromise (IoC).
Expected configuration changes to a system are not an indicator of compromise (IoC).
Unexpected configuration changes to a system would be an IoC.
Related Content
resources\questions\q_exploring_threat_intelligence_and_threat_hunting_concepts_25.ques
tion.xml
Question 2
Correct
, An IT professional is responsible for identifying potential threats within the organization's
isolated network. The professional wants to focus on vulnerabilities that attackers could
exploit, even if not connected to the internet. What focus area should the IT professional
focus on to achieve this goal?
answer
Business-critical asset hunting
Misconfiguration hunting
Business-critical asset management
Isolated network hunting
Correct Answer:Correct
Explanation
Isolated network hunting searches vulnerabilities in physical access points, gaining access to
the isolated network. Attackers may exploit vulnerabilities within the isolated network to gain
unauthorized access or to escalate privileges.
Misconfiguration hunting involves searching for misconfigured systems, services, or
applications that attackers exploit, searching for weak passwords, open ports, or unpatched
software. This is not directly related to identifying vulnerabilities attackers could exploit within
an isolated network.
Business-critical asset hunting searches for vulnerabilities and threats that could impact
business-critical assets, and while important, it does not identify vulnerabilities within the
isolated network.
Business-critical asset management manages the processes for critical assets, such as new
user creation, money transfer, access permission approvals, and other similar high-risk
functions.
Related Content
resources\questions\q_exploring_threat_intelligence_and_threat_hunting_concepts_09.ques
tion.xml
Question 3
Correct
A security analyst is reviewing an announcement from the Cybersecurity and Infrastructure
Security Agency. Which source of defensive open-source intelligence (OSINT) does the
agency represent?
answer
CSIRT
CERT
, Government bulletins
Correct Answer:Correct
Internal sources
Explanation
The government is responsible for protecting the country's constituents and the national
infrastructure and publishing various information and advice regarding observed threats. For
example, the Department of Homeland Security and the Cybersecurity and Infrastructure
Agency publishes several types of cybersecurity guidance, including basic informational
content and binding operational directives that federal agencies must implement.
A computer emergency response team (CERT) aims to mitigate cybercrime and minimize
damage by responding to incidents quickly.
It is important to consider that evidence regarding active threats, reconnaissance activities,
and suspicious behavior exists within the protected environment.
A computer security incident response team (CSIRT) is a group responsible for responding
to security incidents involving computer systems.
Related Content
resources\questions\q_exploring_threat_intelligence_and_threat_hunting_concepts_18.ques
tion.xml
Question 4
Correct
A systems administrator is researching active defense approaches. The administrator
decides to install a honeypot to lure attackers away from assets of actual value. What is true
of a honeypot? (Select the three best options.)
answer
Honeypots assist defensive teams in identifying and responding after an attack has taken
place on critical systems.
Honeypots can provide an early warning regarding ongoing attacks.
Correct Answer:Correct
Honeypots seek to redirect malicious traffic away from live production systems.
Correct Answer:Correct
Honeypots help collect intelligence on the attackers and their techniques.
, Correct Answer:Correct
Explanation
Honeypots seek to redirect malicious traffic away from live production systems by luring
attackers away from assets of actual value and/or discovering attack strategies and
weaknesses in the security configuration.
Honeypots can provide an early warning regarding ongoing attacks. This helps defensive
teams identify and respond to attacks before they affect critical systems.
Honeypots collect intelligence on attackers and the techniques they utilize. This helps
administrators observe attackers and learn their strategies to better thwart them in the future.
Honeypots do not assist defensive teams in identifying and responding after attacks on
critical systems occur. The main purpose of such devices is to thwart potential attacks on
critical systems before they occur.
Related Content
resources\questions\q_exploring_threat_intelligence_and_threat_hunting_concepts_27.ques
tion.xml
Question 5
Correct
An IT administrator wants to improve the organization's cyber defense strategy. The
administrator would like to use offensive actions to outmaneuver adversaries, making an
attack harder to execute. Which of the following concepts best describes the approach?
answer
Honeypots
Threat hunting
Active defense
Correct Answer:Correct
Threat intelligence
Explanation
Active defense describes using offensive actions to outmaneuver adversaries making an
attack harder. An active approach to cyber defense seeks to increase the likelihood that
hackers will make mistakes and expose their existence or attack methods.
Threat intelligence involves collecting and analyzing information about potential cyber threats
but does not involve offensive actions.
Correct
A cybersecurity analyst wants to collect indicators of compromise (IoCs) to identify,
investigate, and mitigate threats. What are some examples of IoCs that the analyst will be
collecting? (Select the three best options.)
answer
Unfamiliar new files
Correct Answer:Correct
Unusual account behaviors
Correct Answer:Correct
Expected configuration changes
Odd network patterns
Correct Answer:Correct
Explanation
Odd network patterns are one of the many indicators of compromise (IoCs) that the
cybersecurity analyst might collect. Other common forms of IoC include unusual outbound
network traffic, logins occurring from unexpected geographic locations, and suspicious
privileged user account behavior.
Unusual account behavior is another example of an indicator of compromise (IoC) that the
analyst might collect.
If the analyst finds an unfamiliar new file on a system, it would also be an indicator of
compromise (IoC).
Expected configuration changes to a system are not an indicator of compromise (IoC).
Unexpected configuration changes to a system would be an IoC.
Related Content
resources\questions\q_exploring_threat_intelligence_and_threat_hunting_concepts_25.ques
tion.xml
Question 2
Correct
, An IT professional is responsible for identifying potential threats within the organization's
isolated network. The professional wants to focus on vulnerabilities that attackers could
exploit, even if not connected to the internet. What focus area should the IT professional
focus on to achieve this goal?
answer
Business-critical asset hunting
Misconfiguration hunting
Business-critical asset management
Isolated network hunting
Correct Answer:Correct
Explanation
Isolated network hunting searches vulnerabilities in physical access points, gaining access to
the isolated network. Attackers may exploit vulnerabilities within the isolated network to gain
unauthorized access or to escalate privileges.
Misconfiguration hunting involves searching for misconfigured systems, services, or
applications that attackers exploit, searching for weak passwords, open ports, or unpatched
software. This is not directly related to identifying vulnerabilities attackers could exploit within
an isolated network.
Business-critical asset hunting searches for vulnerabilities and threats that could impact
business-critical assets, and while important, it does not identify vulnerabilities within the
isolated network.
Business-critical asset management manages the processes for critical assets, such as new
user creation, money transfer, access permission approvals, and other similar high-risk
functions.
Related Content
resources\questions\q_exploring_threat_intelligence_and_threat_hunting_concepts_09.ques
tion.xml
Question 3
Correct
A security analyst is reviewing an announcement from the Cybersecurity and Infrastructure
Security Agency. Which source of defensive open-source intelligence (OSINT) does the
agency represent?
answer
CSIRT
CERT
, Government bulletins
Correct Answer:Correct
Internal sources
Explanation
The government is responsible for protecting the country's constituents and the national
infrastructure and publishing various information and advice regarding observed threats. For
example, the Department of Homeland Security and the Cybersecurity and Infrastructure
Agency publishes several types of cybersecurity guidance, including basic informational
content and binding operational directives that federal agencies must implement.
A computer emergency response team (CERT) aims to mitigate cybercrime and minimize
damage by responding to incidents quickly.
It is important to consider that evidence regarding active threats, reconnaissance activities,
and suspicious behavior exists within the protected environment.
A computer security incident response team (CSIRT) is a group responsible for responding
to security incidents involving computer systems.
Related Content
resources\questions\q_exploring_threat_intelligence_and_threat_hunting_concepts_18.ques
tion.xml
Question 4
Correct
A systems administrator is researching active defense approaches. The administrator
decides to install a honeypot to lure attackers away from assets of actual value. What is true
of a honeypot? (Select the three best options.)
answer
Honeypots assist defensive teams in identifying and responding after an attack has taken
place on critical systems.
Honeypots can provide an early warning regarding ongoing attacks.
Correct Answer:Correct
Honeypots seek to redirect malicious traffic away from live production systems.
Correct Answer:Correct
Honeypots help collect intelligence on the attackers and their techniques.
, Correct Answer:Correct
Explanation
Honeypots seek to redirect malicious traffic away from live production systems by luring
attackers away from assets of actual value and/or discovering attack strategies and
weaknesses in the security configuration.
Honeypots can provide an early warning regarding ongoing attacks. This helps defensive
teams identify and respond to attacks before they affect critical systems.
Honeypots collect intelligence on attackers and the techniques they utilize. This helps
administrators observe attackers and learn their strategies to better thwart them in the future.
Honeypots do not assist defensive teams in identifying and responding after attacks on
critical systems occur. The main purpose of such devices is to thwart potential attacks on
critical systems before they occur.
Related Content
resources\questions\q_exploring_threat_intelligence_and_threat_hunting_concepts_27.ques
tion.xml
Question 5
Correct
An IT administrator wants to improve the organization's cyber defense strategy. The
administrator would like to use offensive actions to outmaneuver adversaries, making an
attack harder to execute. Which of the following concepts best describes the approach?
answer
Honeypots
Threat hunting
Active defense
Correct Answer:Correct
Threat intelligence
Explanation
Active defense describes using offensive actions to outmaneuver adversaries making an
attack harder. An active approach to cyber defense seeks to increase the likelihood that
hackers will make mistakes and expose their existence or attack methods.
Threat intelligence involves collecting and analyzing information about potential cyber threats
but does not involve offensive actions.
